This one has been in the list before, in a few different forms. It’s here as a single item in the 2024 list. In the 2016 list each element was considered important enough to be listed separately (M4 was Insecure authentication and M6 was insecure authorisation). In 2014 it was covered by M5 – Poor authentication and authorisation, and also touched on in M9 – Improper session handling. It persists, and remains a key attack vector, highlighting the importance of correct implementation.

Threat Agents	Application specific
Attack Vectors	Exploitability: EASY
Security Weakness	Prevalence: COMMON Detectability: AVERAGE
Technical Impacts	Impact: SEVERE – Wide-ranging – Significant – Over-privileged execution – Inability to log user actions accurately – Difficulty detecting source of attack
Business Impacts	Impact: SEVERE – Reputational damage – Information theft – Fraud – Unauthorised data access
Causes	Insecure Authentication – Anonymous API execiution – Local (on device) storage of passwords or shared secrets – Weak password policy – Usage of FaceID / Touch ID may lead to a false sense of security and proper controls not being implemented Insecure Authorisation – Presence of IDOR vulnerabilities may be a sign that the code is not authorising correctly * – Hidden endpoints – if an endpoint is not widely known outside the intended audience, developers might neglect authorisation checks – Role / Permission Transmission – if any information concerning the user’s role or permissions are transmitted to a back-end system as part of a request, this may be a sign of poor implementation
Prevention	Weak Patterns – If the app has an equivalent web site, it should employ at least the same number of authentication factors – All authentication requests should be performed server-side, with apps only loading data locally after successful on-line authentication – Avoid local user authentication as this can be bypassed on jailbroken devices – Avoid using values for authentication which can be spoofed, such as geo-location or device identifiers – Only store local data if necessary, and encrypt using a key derived from login credentials – Use device specific authentication tokens and allow the user to revoke them from within the app – “Remember me” functionality should never store the password on device – Avoid 4-digit PINs – Ensure that persistent authentication is opt-in, and never the default Reinforcement / Insecure Authorisation – Server-side code should assume that the app / device can be compromised, and as such enforce its own authentication and authorisation checks (and of course the app should not be transmitting user role or permission information – see above) – Use biometrics (FaceID / TouchID) to unlock sensitive data or functions, even for authenticated and authorised users – If local authentication is required, implement integrity checks as protection against binary attack **

_{* IDOR – Insecure Direct Object Reference – namely, when an API uses an identifier for direct access to an object in an internal database, but does not perform an authentication check}

_{** Binary attack – where a threat actor has modified the code inside the app’s binary with the aim of bypassing authentication / authorisation checks}

There are several scenarios where a vulnerability could be left open. Below are a couple of examples, in addition to those mentioned above:

User Interface Reliance

This is where the app and/or API rely on a function in the app only being made available to successfully authenticated and authorised users. Firstly, a binary attack could render this function available to a threat actor. Secondly, if the API makes the same assumption, it might not get a robust implementation of authentication and authorisation.

Usability

Some apps allow the use of a 4-digit PIN to grant access, for user convenience. Even if the server correctly stores only a hashed version of this, a threat actor will be able to discover the original PIN using rainbow hash tables, without much difficulty or time.

Read our OWASP Mobile Top 10 series here.

Or browse our blog for cybersecurity and other IT tips.